Zimbra not affected by log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn't contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability. Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.

Zimbra Desktop 7.3.1 is now available

A Forum to provide feedback, and report issues about Zimbra Desktop Beta or Release Candidate versions
Posts: 27
Joined: Thu Aug 11, 2016 8:50 pm

Re: Zimbra Desktop 7.3.1 is now available

Postby wrightg » Fri Oct 20, 2017 1:16 pm

Thanks Phoenix, Bugzilla entry created.

Greg ...

Posts: 26912
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra Desktop 7.3.1 is now available

Postby phoenix » Fri Oct 20, 2017 1:57 pm

wrightg wrote:Thanks Phoenix, Bugzilla entry created.
You're welcome. From what I remember, they don't do minor point releases for bugzilla, it's just the major version


Rspamd: A high performance spamassassin replacement

Per ardua ad astra

Return to “Zimbra Desktop Beta/RC”

Who is online

Users browsing this forum: No registered users and 3 guests